You are here

Privacy and Data Protection Laws in Southeast Asia

May 15, 2018

By:

Gie Dela Cruz

share this

The world had its first recorded data protection policy in Germany, as early as 1970. Sweden, France, and the U.S. soon followed suit. Since then, many countries around the world have also enacted their respective privacy and data protection laws.

Here in the Philippines, the Data Privacy Act (DPA) was passed into law in 2012. This made the country the second in Southeast Asia to promulgate a comprehensive data protection law. It was only in 2016, however, that it was actively implemented with the establishment of the National Privacy Commission and the subsequent issuance of the statute’s Implementing Rules and Regulations.

Today, there are now three (3) countries implementing comprehensive data protection laws in the Southeast Asian region, out of a total of 10. Of the remaining seven, two have ongoing efforts to draft and pass a legislation, while three have some relevant policies on privacy and data protection. No data was available for the rest, as of this writing.

Have a look at what our peers in the Association of Southeast Asian Nations (ASEAN) have been up to in terms of data protection:

BruneiDarussalam – Although the government has yet to promulgate a comprehensive law on data protection, the country is guided by a Data Protection Policy since 2014. This policy covers personal data (in electronic or manual form) maintained by government agencies and educational institutions.

Cambodia – As of 2016, the Kingdom of Cambodia has yet to announce plans regarding the formulation of a national law on privacy and data protection.

Indonesia – At the moment, the country has a regulation for the protection of personal data in electronic systems. That said, the Indonesian government, through its Communications and Information Ministry, appears to be keen on passing a personal data protection bill this 2018. Probably recognizing the urgent need for one, the legislature has made it one of their priority policies this year.

Malaysia – Malaysia is currently enforcing the Personal Data Protection Act 2010 (PDPA) through its Personal Data Protection Department. Unlike Philippines’ DPA, the PDPA excludes the government sector from its scope.

Myanmar – In March 2017, Myanmar promulgated a 4-page law entitled Protecting the Privacy and Security of Citizens (Union Parliament Law 5/2017). According to the unofficial translation of the law by the Myanmar Center for Responsible Business (MCRB), the law explicitly prohibits interception of citizen’s electronic communications, private correspondences and, physical privacy, unless otherwise warranted by an “order”.

Singapore – Singapore’s Personal Data Protection Act 2012 (PDPA) has been in force since 2014, and is being implemented by the Personal Data Protection Commission. As in the case of the Philippines, the PDPA includes in its scope personal data being processed or controlled by both private and public entities.

Thailand – Pending the approval of a draft legislation, the Kingdom of Thailand still only has its Official Information Act 1997 to protect its citizens’ personal information that are being processed by state agencies.

It is also important to note that, most of these countries have privacy as a constitutional right—usually a requisite legal basis for enacting a data protection statute.

Finally, as a collective, the ASEAN adopted its first regional declaration on privacy via its 2012 Human Rights Declaration. Article 21 of the instrument provides that:

“Every person has the right to be free from arbitrary interference with his or her privacy, family, home or correspondence including personal data, or to attacks upon that person’s honour and reputation. Every person has the right to the protection of the law against such interference or attacks.”

This commitment led to the establishment of the ASEAN Framework on Personal Data Protection in 2016. The Framework sets out principles on data protection meant to guide member states in their respective implementation of related domestic laws and regulations.

The Framework’s provision on implementation allows member states to embark on joint activities that could strengthen cooperation and collaboration in the area of personal data protection. This may include information sharing and exchange, seminar or other capacity building activity, and joint research in areas of mutual interest.

Notably, the Framework gives due consideration to nations who may encounter delays in their application of the instrument’s provisions, given their varying levels of development.

Downloads

Contact Form
[doc] [pdf]Use this form to submit or file inquiries, concerns, complaints, or to report a security incident or data breach.

Security Incident Report Form
[doc] [pdf]For University Personnel, use this form to report a security incident or data breach.